3

I occasionally have a client who tries to email me and says his email gets blocked by my server. When I check the logs, I see this:

Sep 6 18:12:52 myers amavis[15197]: (15197-08) p.path BANNED:1 me@myaddress.com: "P=p003,L=1,M=multipart/mixed | P=p002,L=1/2,M=application/ms-tnef,T=tnef,N=winmail.dat | P=p004,L=1/2/1,T=image,T=gif,N=image001.gif,N=image001.gif", matching_key="(?-xism:^\\.(exe|lha|tnef|cab|dll)$)"

And then a little later...

Sep 6 18:12:58 myers amavis[15197]: (15197-08) Blocked BANNED (.image,.gif,image001.gif,image001.gif), [213.199.154.205] [157.56.236.229] <client@emailaddress.com> -

, quarantine: banned-g4QhZGvwJvDF, Message-ID <6A9596BE385EC1499F83E464FA9ECCA20C668320@BY2PRD0611MB417.namprd06.prod.outlook.com>, mail_id: g4QhZGvwJvDF, Hits: -, size: 20916, 8439 ms`

From this and the bounce that he forwards me (to a different address I give him), I determine that its bouncing because of the file in his signature (image001.gif). However, that does NOT match the "key" in this part of the log:

 matching_key="(?-xism:^\\.(exe|lha|tnef|cab|dll)$)"

Furthermore, the .gif extension is nowhere to be found in the /etc/amavisd.conf file (i.e. I'm not blocking emails because they contain .gif images).

Am I missing something here? This is strange... and annoying.

quanta
  • 51,413
  • 19
  • 159
  • 217
David W
  • 3,453
  • 5
  • 36
  • 62
  • Do you have spam assassin? i guess your MTA doesn't ban. – PersianGulf Sep 12 '12 at 23:01
  • I use Postfix as my MTA; when you say 'ban', are you "guessing" that Postfix isn't configured to ban gif images? To my knowledge, no. I've reviewed /etc/postfix/main.cf as well as master.cf. In terms of spam, assuming the email gets past spamhaus, then spamcop, then barracudacentral, I use ClamAV to scan for viruses and additional spam and such. I don't have spam assassin. – David W Sep 12 '12 at 23:12

2 Answers2

4

Have a look at the file, maybe the content is something else, amavis is using 'file' to look in the content what content-type it is.

Båt Karl Patrik Andersson
  • 66
  • 1
  • 1
    Thanks for the response. I believe you were correct, but I'm going to wait a little while before confirming. The "blocked anywhere" directive included this line: qr'^\.(exe|lha|cab|tnef|dll)$'. I reexamined the logs, bounce messages, and the info I pasted into this question, and saw a consistent theme: they all contained something with a .tnef extension. I researched it, and it turns out its coming from Microsoft Outlook, and was considered a potential security vulnerability. I'm researching now how "unsafe" it would be for me to turn it off, but in the mean time, I have done so. Thanks again. – David W Sep 15 '12 at 02:02
1

Final conclusion after getting advice from Båt Karl Patrik Andersson

The "blocked anywhere" directive included this line: 

qr'^\.(exe|lha|cab|tnef|dll)$'.

I reexamined the logs, bounce messages, and the info I pasted into this question, and saw a consistent theme: they all contained something with a .tnef extension.

I researched it, and it turns out its coming from Microsoft Outlook, and was considered a potential security vulnerability. I'm researching now how "unsafe" it would be for me to turn it off, but in the mean time, I have done so.

Community
  • 1
masegaloeh
  • 18,236
  • 10
  • 57
  • 106